THIS WEEK IN SECURITY: THE LOG4J THAT WON’T GO AWAY, WEBOS, as well as more

In the past two weeks, Log4j has continued to drive security news, with more vulnerable platforms being found, as well as extra CVEs coming out. very first up is work done by TrendMicro, looking at electric vehicles as well as chargers. They discovered a log4j assault in one of the published charger frameworks, as well as likewise handled to observe evidence of vulnerability in the Tesla In-Vehicle Infotainment system. It isn’t a stretch to picture a piece of malware that might run on both a charger, as well as an EV. as well as since those systems talk to every other, they might spread the virus with vehicles moving from charger to charger.

Log4j is now as much as 2.17.1, as there is yet one more RCE to fix, CVE-2021-44832. this is only scored a 6.6 on the CVSS scale, as opposed to the original, which weighed in at a 10. 44832 needs the attacker to very first exert manage over the Log4j configuration, making exploitation much more difficult. This string of follow-on vulnerabilities demonstrates a widely known pattern, where a high profile vulnerability attracts the interest of researchers, who discover other issues in the exact same code.

There are now reports of Log4j being utilized in Conti ransomware campaigns. Additionally, a Marai-based worm has been observed. This self-propagating assault seems to be targeting Tomcat servers, among others.

WebOS Falls to a Snapshot

[David Buchanan] acknowledges that while this is an fascinating exploit, there isn’t much utility to it at this point. That might change, however let’s look at the flaw for now. Snapshots are a awesome function in the V8 JavaScript engine. When you navigate to a web page, the JavaScript context for that page has to be produced in memory, including packing all the libraries called by the page. That doesn’t take as well long on a desktop, however on an embedded gadget or a cell phone packing a regional interface, this initialization step can represent a big portion of the time needed to draw the requested page. Snapshots are a fantastic hack, where the context is initialized, as well as then saved. When the interface is later opened, the V8 engine can be called keeping that file, as well as the context is pre-initialized, making the introduce of the app or interface appreciably faster. The only catch is that V8 expects snapshots to only be packed from a trusted source.

On to the WebOS platform itself. private apps are sandboxed, however web apps run their code in the context of the WebAppMgr (WAM), their browser based on Chromium/V8. While the private apps are sandboxed, WAM is not. The kicker is that a web app can specify its own snapshot to tons into V8. packing a corrupted snapshot provided [David] JS type confusion, as well as an arbitrary read/write primitive as a result. From there, breaking out of running JS as well as into actual shellcode was relatively easy. This RCE runs as the “wam” user, however this is a mildly privileged account. Notably, wam has gain access to to /dev/mem — direct gain access to to system memory. Escalation to root is almost trivial.

[David] has published the full PoC, noting that LG notoriously underpays for bug bounties. I do disagree with his assertion that this assault completely relies on side-loading a malicious app, for the simple reason that LG does run their material store for this platform. A malicious designer may be able to bypass any type of malware detection routines that LG utilizes to vet apps. Malicious apps on the app store is definitely nothing new, after all. the worst part of this exploit is that it’s difficult to put one’s finger on where the vulnerability lies.

Four-Bug team in Teams

[FABIAN BRÄUNLEIN] discovered some fascinating unintended habits in Microsoft Teams’ link preview feature. The very first problem is an Server Side request Forgery. The link preview is produced at the teams server side, as well as by meaning needs opening the page to produce the preview. The issue is the lack of filtering — linking to 127.0.0.1:80 produces a preview of what is found on the teams server’s localhost.

Up next is a simple link spoofing technique. this utilizes a tool like Burp to modification the data sent by the teams client. part of the message that gets sent when embedding a link is the URL to phone call for preview generation. No further validation is done, so it’s possible to produce a preview from a benign URL, while the actual link goes to an arbitrary page. The third issue is related, as the link to the thumbnail itself is likewise in this message, as well as can be tampered with. The fascinating use-case right here is that an attacker might set this to a URL that they control, as well as extract info from a target, namely the public IP address. now this is blocked by the target’s client on most platforms, however on Android the checks were missing.

And finally, likewise an Android-only issue, anattacker can send a “Message of Death”, essentially a message malformed that accidents the app just by trying to render the preview. this accidents the app every time the individual tries to gain access to the chat, effectively locking the individual out of the app altogether. now these aren’t earth-shattering issues, however Microsoft’s collective shrug in response is… underwhelming. They have stealth-patched the IP address leak, however it’s obviously still possible to spoof link previews, in addition to accident the Android app.

PBX Backdoors

Researchers at RedTeam Pentesting took a look at a PBX designed by Auerswald, a German manufacturer of telecom equipment. What caught their eye was an advertised service, where Auerswald might perform an admin password reset for a client locked out of their equipment. This is a textbook backdoor, as well as definitely warranted investigation.

If only it was this type of backdoor: https://xkcd.com/806/
Their approach, rather than attacking the hardware directly, was to grab the latest firmware bundle from Auerswald’s web site, as well as analyze that. utilize of the file, gunzip, as well as dumpimage utilities provided them the root filesystem they needed. working with the web of config files, they settled on the webserver binary that most likely contained the password reset backdoor. just a note, it’s extremely typical for embedded gadgets to include all their individual interface as well as configuration logic in a single httpd binary.

Given a binary, they relied on what has quickly ended up being the preferred tool of security researchers everywhere, Ghidra. They had one more hint, the “sub-admin” user, so searched for that string utilizing Ghidra. Paydirt. Drilling down with functions, the hardcoded username “Schandelah” was there. A bit more sleuthing came up with the password function. for every of these PBXs, the backdoor password is the very first 7 characters of the MD5 hash of, the unit’s serial number + “r2d2” + the present date.

Just for fun, the researchers utilized Ghidra to browse for other utilizes of the backdoor password function. Turns out, if the admin individual is specified, as well as the password doesn’t match the user-configured password, it’s compared to this algorithm. If it matches? You’re logged in as admin on the hardware. This is obviously more useful than resetting the admin password, as it enables gain access to without any type of obvious modifications to the system. The whole article is a fantastic tutorial on utilizing Ghidra for this kind of research.

Auerswald extremely quickly pushed out firmware modifications to correct the issues identified. A backdoor such as this one, that is publicly disclosed, is not almost the legal as well as honest landmine like a few of the others we’ve discussed here. There is still a issue with the application — a password reset should likewise reset the gadget to factory settings as well as delete individual data. Anything less is inviting major data disclosure.

SAM Spoofing

This Windows active directory privilege escalation vulnerability is interesting for its simplicity. It’s a combination of CVE-2021-42287 as well as CVE-2021-42278. Windows active directory has two unique type of accounts, individual as well as machine accounts. machine accounts are utilized to bring specific hardware into the domain, as well as generally end with the dollar indication (MyMachine1$). By default, a individual can produce machine accounts, in addition to rename those accounts. The very first issue is that a individual might produce as well as then rename a machine account as the exact same as a domain controller, just without that final dollar sign. For example, I might produce MyMachine1$, then rename it to DomainController1. DomainController1$ would still exist, as well as the domain would see those as separate machine accounts.

Modern Windows Domains utilize Kerberos under the hood, as well as Kerberos utilizes the ticket paradigm. An account can request a Ticket Granting Ticket (TGT) that acts as a temporary authentication token. believe of it as a password replacement, that can be immediately sent with requests. The assault is to request a TGT for the renamed machine account, as well as then rename that account when again, back to MyMachine1. The key is that the attacker still has a valid ticket for the DomainController1 account, even though an account no longer exists keeping that precise name. Next, the attacker requests a session key from the key distribution center (KDC) utilizing this TGT. The KDC notes that the requesting account doesn’t exist, as well as helpfully appends the dollar indication as well as runs the inspect again. It sees the valid TGT for DomainController1, as well as returns a session key authorizing the attacker as DomainController1$, which occurs to be a domain admin account.

Chrome’s Aging Pains

It’s stated that we didn’t get a Windows 9, since as well many old apps were written with regex that would prevent execution, complaining that the application wouldn’t run on Windows 95 or 98. Chrome is trying to prevent a similar problem, as Google’s designers see version 100 on the horizon. This kind of thing has bitten web browser before, notably when Opera released version 10, further breaking the user-agent string in the process. Firefox is getting in on the fun as well, as well as both browsers’ designers have a request of you: search the web with a spoofed user-agent string, as well as let them understand what breaks as a result of version 100. This would be a great chance to test your own sites, too. let us understand if you see any type of especially strange results.